SharePoint: Issues with profile pictures when MySite uses SAML auth

Symptoms

There are two different known symptoms with the same cause and solution:

#1
When running User Profile Synchronization, nothing is imported or exported. In the Forefront Identity Manager (FIM) client, we see “stopped-extension-dll-exception” for the MOSS_FullImport and MOSS_DeltaImport steps.

In the Application event log on the server running the User Profile Synchronization service (Sync server), the following error is thrown at the same time as when “stopped-extension-dll-exception” is thrown in the FIM client.

Note that the 403 Forbidden is thrown at “ProfileImportExportExtension.DownloadPictures”. That's where the FIM service tries to download the user profile pictures.

#2
Within site collections in your non-mysite web apps, any place that a user profile photo is supposed to be shown (user information list, site permissions, people and groups, person or group columns, etc), there is an ‘x’ shown in place of the picture. If you browse to the Mysite web application and authenticate and then go back to the previous site, the pictures are shown correctly.

Cause

The Mysite Web Application is configured for Trusted Provider (SAML / ADFS) authentication.
The profile pictures are stored at the root of the mysite host.
For example: http://MySiteRoot.contoso.com/User Photos/Profile Pictures/UserName_MThumb.jpg"

For problem #1 above, the FIM Sync service must retrieve each picture with an HTTP GET, but does not know how to do ADFS authentication, so it fails with 403 Forbidden.

For problem #2, the user is not yet authenticated to the Mysite web app, so retrieving the profile pictures to display within other web apps fails. As soon as the user authenticates to the Mysite web app, the pictures can be retrieved.

Resolution

The solution to both of these problems is to simply enable the “User Photos” library (and only that library) for anonymous access.
That way, authentication is not required to retrieve the profile pictures. The FIM Sync service and the worker processes for the non-mysite web apps can now grab the pictures with no issue.

Here’s how you would do it:

In Central Admin | Manage Web Applications, choose the MySite web app and “Authentication Providers”. Choose the zone that ADFS is enabled in and select the check box for “Enable Anonymous Access”.

Browse to the Mysite host | Site Settings | Site Permissions.
Select “Anonymous Access” in the Ribbon and choose “Lists and Libraries”Note: Anonymous users still don’t have access to anything, but now you can choose individual lists and libraries to give anonymous access to.

Note: I have not tested this yet with SharePoint 2016 and Microsoft Identity Manager (MIM) 2016, but I'm guessing MIM still lacks the capacity to authenticate via SAML, so the same resolution applies there.

I’m in the process of setting up MIM User Profile Sync with a Farm that also uses ADFS for user authentication. I’m having a hard time finding any documentation online about how to prevent duplicates. MIM exports the users to SharePoint with account names in the format DOMAIN\username. It looks like profiles with SAML account names are also created by the ADFS connector. How do you correlate the two so that a user is assigned to their correct profile when they log in, and we do not have duplicate profiles for everyone?

You’re getting duplicates because MIM is not importing the profiles with the correct account name. It should be done in SAML-claims format and look something like i:05.t|ADFS|Josh@contoso.com (where “ADFS” is the name of my trusted provider, and I’m using email is my identity claim).